Forensics 101: Getting Information out of Corrupted Compressed Files

In my last post: Forensics 101: Basic Approach to File Analysis, we've discussed about the basic approach on how to find informations on generic files by going through all readable plain-texts in the file and making sense out of it. In a perfect world, that would probably be enough, however in the real world it is far from over.

Imagine if we are to analyze a damaged zipped file. (If you don't know, encryption is applied to files that are being zipped, so don't expect readable texts) and to make matters worse, we can't unzipped the file seeing as it's corrupted.

Take this Example taken from angstromCTFs 2017 Forensics challenge: We were provided with an "essay.docx" file. The problem is we can't open it.

Since ."docx" is basically just a zip file that contains all the XML files pertaining to the document, we should expect that the file is compressed and is then encrypted. Checking it on Hiew(Hacker's View):

Now, how do we proceed from this?

Logically, repairing the file is the best answer. If we can repair the file we will be able to view the contents inside the *.docx" file. The problem is, it would probably take too much time and we don't know how to repair corrupted files. Since all we wanna do is to see the contents inside the file, we can try this.

As I've said before ".docx is basically just a zip file". If we are to treat it like one, we could use the following command to force fix it:

zip -FF [input] --out [output]

We can now check the contents inside the file. Since it's in XML format, it will look like this. Anddd there's our flag.